[Freeipa-users] FreeIPA Server with ECC certificate in LDAPS (389DS)

Marat Vyshegorodtsev marat.vyshegorodtsev at gmail.com
Fri Nov 6 09:24:17 UTC 2015 

Actually, looking at the source code of 389DS it is impossible.


I gave up.


http://fossies.org/linux/389-ds-base/ldap/servers/slapd/ssl.c
(see screenshot)


Only RSA and some mysterious Fortezza are allowed. NSS'
SSL_ConfigSecureServer actually does support kt_dh, not sure if it applies
to ECDH as well.

I think working around 389DS' SSL code would be harder than just wrapping
port 389 into stunnel, but FreeIPA installer doesn't allow the port 636 to
be used by anyone else.

Seriously, can we just drop Apache+mod_nss and LDAP+libnss? Instead, have
the web GUI wrapped into nginx and LDAP into stunnel?

One may argue that there won't be single sign-on, because Kerberos, but is
anyone seriously using IE anymore?

As you might have seen from a parallel thread, NSS does a terrible job with
sslabs by default. It is almost 2016, TLSv1.3 will be released soon, but it
barely had support of TLSv1.2.
As for now, I suggest writing it in docs and add a check to ipa CLI tools
not to allow ECC certs.

Marat

2015年11月6日(金) 17:50 Martin Kosek <mkosek at redhat.com>:

> On 11/05/2015 02:39 PM, Marat Vyshegorodtsev wrote:
> > Hi!
> >
> > I've been fighting for the past week with FreeIPA and trying to make
> > it work with my own CA certificate that is ECDSA_SHA256.
> >
> > Even though I somehow fixed /etc/httpd/conf.d/nss.conf to make it work
> > (basically added correct NSSCipherSuite), LDAP (389DS) is a tough nut.
> >
> > The command I used is:
> >
> > ipa-server-install --mkhomedir --hostname 'ipa.mydomain.com' --realm
> > MYDOMAIN.COM --domain mydomain.com --ds-password 'DS_PASSWORD_HERE'
> > --admin-password 'ADMIN_PASSWORD_HERE' --no-ntp --unattended
> > --no-host-dns --dirsrv-cert-file /etc/ipa/ipa.p12 --http-cert-file
> > /etc/ipa/ipa.p12 --dirsrv-pin 'PIN_FOR_CERT' --http-pin 'PIN_FOR_CERT'
> > --ca-cert-file /etc/ipa/myownca.pem
> >
> > In this case, installation fails at the following step:
> > Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
> > 'ipa.rpay.us' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
> > '/var/lib/ipa/tmp5KkCae' '-T' '/var/lib/ipa/tmpTC27Ap'
> > 'uid=admin,cn=users,cn=accounts,dc=rpay,dc=us'' returned non-zero exit
> > status 1
> >
> > In /var/log/ipaserver-install.log I see a message:
> > DEBUG stderr=ldap_start_tls: Protocol error (2)
> >         additional info: SSL not supported by this server.
> >
> > Basically, LDAP is broken now (it doesn't allow connecting without -ZZ
> > flag, and fails with it, since TLS is misconfigured at this point).
> >
> > What actually happens, LDAP gets configured to use RSA as a key
> > exchange algorithm, and fails, since the cert is an ECC cert.
> >
> > In /var/log/dirsrv/slapd-MYDOMAIN-COM/errors you can see:
> > [05/Nov/2015:12:22:36 +0000] - SSL alert: ConfigSecureServer: Server
> > key/certificate is bad for cert FreeIPA of family
> > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -12200
> > - The certificate provided cannot be used with the selected key
> > exchange algorithm.)
> >
> > This is configured by ipaserver/install/dsinstance.py under def
> __enable_ssl:
> >
> >        entry = conn.make_entry(
> >             DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
> >             objectclass=["top", "nsEncryptionModule"],
> >             cn=["RSA"],
> >             nsSSLPersonalitySSL=[self.nickname],
> >             nsSSLToken=["internal (software)"],
> >             nsSSLActivation=["on"],
> >         )
> >         conn.add_entry(entry)
> >
> > My question is, is it possible to replace RSA with ECDSA here? If so,
> > what parameters should I pass to LDAP?
>
> Honza or Ludwig, do you know? This is certainly an uncharted territory,
> you are
> the first person I know about trying to install FreeIPA CA-less with ECC
> certificate.
>
> There is a ticket to get ECC support in PKI (i.e. not CA-less), but it was
> not
> completed yet:
> https://fedorahosted.org/freeipa/ticket/3951
>
> >
> > If this is fixable, can someone add autodetect of the type of the
> > certificate and enable appropriate algorithms in LDAP and Apache?
> >
> > Best regards,
> > Marat Vyshegorodtsev
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151106/b29e4673/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_1381.PNG
Type: image/png
Size: 96862 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151106/b29e4673/attachment.png>

More information about the Freeipa-users mailing list